The CISO reporting structure sure is a hot topic. I’ve probably read twenty articles addressing this issue. The problem is that I agree with all of them. Who should the CISO report too? Unfortunately for CISOs, the correct answer is, “Yes”.
My perspective is maybe a little unique. I spend most of my days getting inside the minds of CISOs. I’m a headhunter, so my job is not only to assess the temperament, skill set, background and leadership style of a CISO, but to understand his or her Security Program and the posture of the overall business toward said Program. I always ask a CISO who he/she reports too. The answers are different (“I report to the….insert C-level alphabet.”), but the follow-up comment is usually the same (“Yeah, it’s not ideal, but…..”).
Cyber risks have a way of throwing a wrench into long-established boundaries of business. Breaches can come from core systems, employees, customers, vendors, people with bad intentions, and on and on. Then there’s the general structure of mature Security Programs. Privacy and Risk must be separated from the IT Security side and while Cyber is under IT, it’s a bit of it’s own thing. Think of it like a slightly dysfunctional family. Compliance and Privacy are the Grandparents that show up to watch the kids and can be annoying, cantankerous and overly-strict, albeit well-intentioned and generally wise. The CISO is a strange combo of the parents – doing their best to handle too many balls floating in the air. IT are the kids and Cyber is the black sheep child that plays video games all night, sleeps in the attic and slips out a window to sit on the roof and smoke. It’s an unwieldy organization. It should be. A CISO’s job is not just to protect IT, but the business as a whole.
So back to the reporting structure. Should the CISO report to the CIO? Absolutely. A mark of a good CISO is an IT and Security organization that plays well together instead of throwing “responsibility bombs” over the cubicle walls at each other.
Should the CISO report to the CEO? Without question. A great CISO is both a subject matter expert and a consensus builder, but there are instances of priority and money where the CISO and CIO will differ. The CEO must carry the Security torch and be in a position to make decisions as to what’s most important for the company. Should the CISO report to the CFO or COO? I’m not buying it. There are infrequent instances where a CFO, and more likely a COO has the chops to handle Security amongst all their other priorities. If they can, give them a raise and a new title – CEO.